Admin account

[Guest]

We have software installed on clients machine that
requires Admin rights on the local machine. I am having
problems with users installing junk, disabling the user
password on the screen saver and doing things to their PC
that I do not have control of. Is there anyway that I can
do to enable the admin rights but control what the users
do to the pc?

 

[Steven L Umbach]

You can try to use Group Policy for domain users to prevent them form doing such
including adding setup.exe and install.exe to the disallowed Windows Applications
list in user configuration/administrative templates/system and also disabling the
command prompt and registry editing after reading the full explanation first of any
settings you enable but it really is impossible to restrict an administrator if they
know the power of the account. For example if they create a local user account for
themselves, they can logon to that and bypass domain user configuration policy or
unjoin the computer from the domain.

Your best approach would be to find a way to remove them from the local
administrators group - even a power user would be much preferable. You may also try
top contact the software publisher to lean on them for ways to modify ntfs/registry
permission to allow a regular user to use their application. It may be possible to do
it yourself by using free tools from SysInternals such as filemon and regmon. You
would have to logon as a regular user, then use runas to invoke filemon and then view
the log to see where permissions denied access to a file, make necessary changes and
try again. See the link below on where to get those tools. --- Steve

http://www.sysinternals.com/